3D Printed Head Can Unlock Your Phone

[Thomas Brewster] writes for Forbes, but we think he’d be at home with us. He had a 3D printed head made in his own image and then decided to see what phones with facial recognition he could unlock. Turns out the answer is: most of them — at least, those running Android.

The models tested included an iPhone X, an LG, two Samsung phones, and a OnePlus. Ironically, several of the phones warn you when you enroll a face that the method may be less secure than other locking schemes. Conversely, one phone had a faster feature that is known to make the phone less secure.

The phones didn’t just pop open at a glance of the 3D printed head. Some required a little angle changes and lighting. But all the Android devices eventually opened. Many vendors reiterated that face unlocking is more like a swipe to unlock action than a biometric security.

There are quite a few problems with any sort of biometric scan, though. First off, biometrics can change. Your face could become disfigured in a variety of ways. A fingerprint can literally be lost along with its finger. But one of the most worrisome things, to us, is that you can never revoke a biometric signature. Forget your password or lose your keys and we can revoke those things and give you new ones. You can’t get a different face or fingerprint.

The subject head was made from a specialized rig with 50 cameras by a company that specializes in this. The printer used an old technology — gypsum powder — along with some coloring. The cost was £300 (about $377 at today’s exchange rate).

Granted, it seems hard to imagine a casual thief going through the trouble of modeling your head. But an employer? A law enforcement agency? Or someone who could gain a lot by compromising your phone? It isn’t that hard.

hmmm… but if they really need to know what’s on your phone… do they really need you and your permission? But seriously, your password is most likely just a short sequence of numbers that (if you have time enough) can be resolved with a brute force attack (well just trying 0000, 0001, 0002, 0003…)

what happened to the simple “connect the dots” that’s still going strong on Android? People seem to fail to realize that you can have a quick way of unlocking your phone and once you go over 5-6 dots, the number of possible permutations is pretty high…